diff options
Diffstat (limited to 'x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch')
-rw-r--r-- | x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch new file mode 100644 index 000000000000..c5755a49ce1a --- /dev/null +++ b/x11-libs/qt-webkit/files/qt-webkit-4.5.3-cve-2010-0046-css-format-mem-corruption.patch @@ -0,0 +1,25 @@ +diff -up qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp +--- qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp.cve-2010-0046-css-format-mem-corruption 2009-09-29 13:01:35.000000000 +0200 ++++ qt-x11-opensource-src-4.5.3/src/3rdparty/webkit/WebCore/css/CSSParser.cpp 2010-02-04 15:00:24.778776273 +0100 +@@ -3085,6 +3085,12 @@ bool CSSParser::parseFontWeight(bool imp + return false; + } + ++static bool isValidFormatFunction(CSSParserValue* val) ++{ ++ CSSParserValueList* args = val->function->args; ++ return equalIgnoringCase(val->function->name, "format(") && (args->current()->unit == CSSPrimitiveValue::CSS_STRING || args->current()->unit == CSSPrimitiveValue::CSS_IDENT); ++} ++ + bool CSSParser::parseFontFaceSrc() + { + RefPtr<CSSValueList> values(CSSValueList::createCommaSeparated()); +@@ -3111,7 +3117,7 @@ bool CSSParser::parseFontFaceSrc() + CSSParserValue* a = args->current(); + uriValue.clear(); + parsedValue = CSSFontFaceSrcValue::createLocal(a->string); +- } else if (equalIgnoringCase(val->function->name, "format(") && allowFormat && uriValue) { ++ } else if (allowFormat && uriValue && isValidFormatFunction(val)) { + expectComma = true; + allowFormat = false; + uriValue->setFormat(args->current()->string); |